Abstract

A vulnerability discovery model describes the variation in the vulnerability discovery rate during the lifetime of a software system and can be used to assess risk and to evaluate possible mitigation approaches. A few vulnerability discovery models have recently been proposed. The AML Logistic model has been found to provide the best fit in several cases. Weibull distribution, which can model an asymmetric pdf, is often used for reliability evaluation in some fields but has not been used for modeling vulnerability discovery. Here we propose a new Weibull distribution based on vulnerability discovery model and compare it with the existing AML Model. The results show that the new model performs well in many cases, and may be considered as an alternative to the AML model.